Vulnerabilities are reported multiple times in the same report
Summary
In the Merge Request Security widget, some vulnerabilities are reported multiple times, and interacting with one of them will even update the others.
Steps to reproduce
- Run SAST in different pipelines, for different commits, and then use the Merge Request Security Widget.
Example Project
(If possible, please create an example project here on GitLab.com that exhibits the problematic behavior, and link to it here in the bug report)
(If you are using an older version of GitLab, this will also determine whether the bug is fixed in a more recent version)
gitlab-org/security-products/analyzers/nodejs-scan!24 (merged)
What is the current bug behavior?
Occurrences of Medium (High): Potential file inclusion via variable
refer to the same line, and same vulnerability.
What is the expected correct behavior?
Only one occurrence.
Relevant logs and/or screenshots
(Dismissing the occurrences at the top updated the ones at the bottom, supposedly fixed)
Possible fixes
We need to better recognize vulnerabilities across pipeline runs: #6590 (closed)
/cc @twoodham @gonzoyumo @sethgitlab for prioritization (I'm aware it's an old problem, but if we don't create a bug for it, it will never get fixed).